title: new technologies in standards- based internetwork management session #: 327 speaker: jeffrey...
TRANSCRIPT
1 of 51
Title: New Technologies in Standards-Based Internetwork Management
Session #: 327
Speaker: Jeffrey D. Case, Ph.D.
Company: SNMP Research
2 of 51
Topics
• Introduction• Current State-of-the-Art: SNMPv3• Future Directions -- 4 Initiatives
– Ease of use– Enhanced Security for Manager-to-Agent
Communications (SNMPv3 ESO)– Protocol Enhancements (SNMPv3 APO)– XML-based modeling and transport of
management information (XML SNMP)• Conclusions
3 of 51
SNMP in One Slide Common organization
structure for management information (SMI)
One naming space for all management “objects” (MIB)
Communications Protocol (SNMP)
Manager
Agents
Requests
ResponsesNotificationsGet
Set
Networking EquipmentServers
PCsSoftware Applications
4 of 51
Secure SNMPv3
5 of 51
Standards-based Manager-to-Agent Security• The overall goal is to harden today’s
management systems by incorporating protection mechanisms that match the potential level of threat with multiple levels of rings of protection/trust
• Today’s heightened threat level requires heightened protection mechanisms
6 of 51
Standards-based Manager-to-Agent Security• SNMPv1: 1988 – present
– Plaintext community string, e.g., “public”– no Authentication / no Privacy
• SNMPv2c: 1995 – present– Plaintext community string, e.g., “public”– no Authentication / no Privacy
• SNMPv3: 1998 – present– Strong Authentication, Weak Privacy
• SNMPv3 ESO: 2003 – present(Extended Security Options)– Strong Authentication, Strong Privacy
7 of 51
Features of SNMPv3: Security and Administration
• Authentication– User-based strong authentication of messages– MD5 or SHA in private key model with localized keys– More than good enough for virtually all applications today
• Privacy– Protect management and configuration data from unauthorized
disclosure– Encrypt SNMP payload for confidentiality– Private key model with localized keys– DES or AES– Standard is extensible for stronger cryptography
8 of 51
Features of SNMPv3: Security and Administration (Continued)
• Authorization and View-Based Access Control– Authorization: What functions permitted (read, write, notify)– Access Control: Restrictions on what data may be read / written,
potentially very fined grained– Based on groups of SNMPv3 “users”
• An SNMPv3 user might be a system, person, or role• Separation of people and policies• The management application determines how its “users”
(operators) map to SNMPv3 “users”
• Administrative framework to support the above
9 of 51
SNMPv3 Administrative Framework
• All of this configuration information is stored in Management Information Base (MIB) tables
• Remotely configurable via SNMP operations• Standard supports remote configuration of:
– Users including key management– Groups– Views– Community strings for SNMPv1 & SNMPv2c, if any– Notification destinations– Source-side notification filtering
10 of 51
AdministrativeWorkstation
NMSHPOV NNM
Firewall
ManagedDevice(s)
Attacker
ManagedSystem(s)
e.g., CIAgentUnclassified
NetworkOperations
Center
SNMPv1/v2 traffic
SNMPv1/SNMPv2c Not Secure
11 of 51
AdministrativeWorkstation
NMSHPOV NNMwith
SNMP Security
Pack
Firewall
ManagedDevice(s)
Attacker
ManagedSystem(s)
e.g., CIAgent
Unclassified
NetworkOperations
Center
SNMPv3 traffic
Secure SNMPv3
12 of 51
“Distributed SNMP Security Pack for HP OpenView” Solution• Standards-Based Security Solution with NNM
• Integration was jointly developed by HP and SNMP Research
• Maps outbound SNMPv1/SNMPv2c requests to SNMPv3 requests sent to target agent
• Converts responses from agent into SNMPv1/SNMPv2c, and provides additional information on source address
• Receives notifications (traps and informs) and passes to NNM, OVPI, OVO, etc.
13 of 51
“Distributed SNMP Security Pack for HP OpenView” Solution• Includes security configuration datastore
• Includes SNMPv3 Configuration Wizard
• Now available from SNMP Research, soon to also be available from HP
• Also available with Remote Forwarder
14 of 51
Distributed SNMP Security Pack
15 of 51
Product and Technology Initiatives
16 of 51
Where are we?
• Now that SNMPv3 is at Full Standard, are we done yet?– Not yet– More to be done
• There are still unmet needs in the area of standards-based Internet management
There is still more to be done
It is still too hard to do right
17 of 51
The Problem
• It continues to be unnecessarily expensive to develop, deploy, use, and support secure heterogeneous multi-vendor internets consisting of networked devices, systems, applications, and services.
• We need to make this technology easier– For vendors to implement and
– Users to deploy and use
18 of 51
In The Beginning …
• 15 years ago, we had– Monitoring via proprietary CLI “show” commands
– Configuration and control via proprietary CLI commands
– No programmatic interface, difficult to write scripts, no “expect”
– The definition, implementation, and deployment of the SNMP-based Internet Standard Management Framework made an order-of-magnitude advancement in the state-of-the-art for Internet monitoring
19 of 51
… and Today
• Standards-based monitoring is now a solved problem for the most part -- now in pervasive and continuous use
• The Internet Standard Management Framework based on SNMPv1 was an instant success that continued to grow
• SNMPv2 was a disaster• SNMPv3 caught on slowly but is now in demand
– The need for security– September 11, 2001 but not limited to USA– Unrelated CERT advisory on SNMPv1 in February 2002– Government Sector: Strong acceptance growth– Private Sector: Public company audits/scrutiny/regulatory
environment
20 of 51
… and Today
• For a variety of good reasons and poor excuses the frameworks have not been as widely exploited for configuration and control operations as they have been for monitoring operations
• For the configuration and control of many products, we are still stuck where we were 10 to 15 years ago:– Proprietary CLI– No programmatic interface difficult-to-write scripts– Little change control rigor– Poor interoperability within a vendor, none between
21 of 51
The Goal
• We need to make order-of-magnitude advances in the state-of-the-art for configuration and control operations similar to those made for monitoring over the past 15 years …
• … with an increased level of seamlessness between monitoring and configuration / control
22 of 51
The Approach
• Execution: Implement and deploy the technology standards we have today
• Extension: Evolve and improve the technology
• Product Initiatives– Ease-of-Use Initiative: Configuration aids, MIBGuide, etc– DSSP: Distributed SNMP Security Pack for management through
firewalls
• Technology Initiatives– Extended Security Options (ESO Initiative)– Advanced Protocol Operations (APO Initiative)– XML-Based Internet Management (XML SNMP Initiative
23 of 51
Ease of Use Initiative
Security Configuration Tools, MIBGuide, etc
24 of 51
Configuration Management Issues
• Users, keys, notifications, etc. must be configured on both managers and agents
• Keys are generated from pass-phrases and localized, pass-phrases not stored on managed devices
• Keys need to be changed periodically• Configuration must be updated in a timely manner
(e.g., deny rights to a terminated employee)• Configuration needs to be done remotely from a
security management station, using a secure and private method
25 of 51
SNMPv3 Remote Administration
• Need to configure manager platforms and agents in accordance with enterprise policies
• Can do it with “vi” or “edit” but really need something more friendly and powerful
• Security dependent on correct configurations• Wizard and/or policy-based tools• Configurable agents• Configurable managers
26 of 51
NMSe.g., NNM
with SNMP
Security Pack
OtherManagementPlatforms andApplicationswith SNMP
Security Packe.g., OVPI
NetworkOperations
CenterFirewall
ManagedDevice(s)Security Administration
WorkstationConfiguration Wizard
and/orEnterPol Simple Policy Pro
ManagedSystem(s)
e.g., CIAgent
SNMPv3 Remote Administration
Unclassified
27 of 51
Configuration Management Applications• Configuration Management applications are very
helpful to reduce complexity and human error– One agent at a time “wizard” application
• Included with the standards-based security solution for NNM, i.e., the SNMP Security Pack for HP OpenView NNM
– Policy-based, multiple-target distribution application
• Available separately
28 of 51
SNMPv3 Configuration Wizard
29 of 51
Policy-based SNMP Configuration Management
30 of 51
MIBGuide
• Comprehensive toolset to design and develop multi-protocol accessible agents using a graphical Integrated Development Environment (IDE).
• Ease-of-use– Ease the burden of creating MIB documents and
developing, testing, and deploying agents.
• Productivity tool• Quality improvement by design not inspection
31 of 51
Secure Manager-to-Agent Communications Initiative
Extended Security Options
(SNMPv3 ESO)
32 of 51
SNMPv3 ESO: Extended Security Options• SNMPv3 framework designed to be extensible and
allow additional security models including new– Authentication algorithms and mechanisms– Privacy algorithms and mechanisms
• ESO uses this to add two new strong privacy algorithms– Advanced Encryption Standard (AES) in 128 bit
CBC mode– Triple DES (3DES) in 168 bit EDE CBC mode
33 of 51
SNMPv3 with ESO Yields
• Multiple authentication options: (Same as before)– None, Strong, Stronger
• Multiple privacy options: (Two new ones)– None, Weak, Strong, Stronger
• Multiple strong authentication algorithms and multiple strong privacy algorithms provide hot standby replacements if one is believed to be compromised
• Reconfigure rather than redeploy
34 of 51Unclassified
SNMPv3 with ESO:Potentially more Secure
AdministrativeWorkstation
Firewalls
ManagedDevice(s)
Attacker
ManagedSystem(s)
e.g., CIAgent
NetworkOperations
Center
SNMPv3 traffic
NMSHPOV NNM
withSNMP
Security Pack
35 of 51
SNMPv3 ESO Availability(in some countries)• SNMPv3 ESO available today for:
– HP OpenView NNM and HP Extensible Agent– Other management platforms– Some embedded systems (e.g., Marconi ATM switches)– Most open systems– Other
• Future ESO work– Articulation with other systems
• Radius• TACACS+• Etc
– Integrated Security Model for SNMP (ISMS)
36 of 51
Protocol Enhancements Initiative
Advanced Protocol Operations(SNMPv3 APO)
37 of 51
Protocol Evolution
Generation Protocol
Operations Transport Mappings
Security & Administration
1st RFC 1157
(1988–1993)
Community- based
2nd RFC 3416
(1993-now)
RFC 3417
(1993-now)
Party-based RFC 1445-47 (1993-1995)
3rd APO
(new work)
XML
(new work)
User-based RFC 3410-15 (1998-now)
38 of 51
Advanced Protocol Operations (APO) Initiative• 3rd Generation Protocol Operations
– 1st Generation: RFC 1157
– 2nd Generation: RFC 1448 RFC 1905 RFC 3416
• 2 Levels– APO Level 1: Compatible with SMIv2 MIB
documents
– APO Level 2: A superset – requires enhancements to MIB grammar
39 of 51
Advanced Protocol Operations (APO) Initiative• APO Level 1: Compatible with SMIv2 MIB docs
– Aggregate objects formerly unaccessible• Row Operations
• Tabular Operations
– OID Suppression
– Improved read operations, e.g., GetBulk scoping, etc
– Improved write operations, e.g., improved error handling, applications specific error codes, etc
40 of 51
Data Format: Traditional Way vs New Ways
TblNam.1.C1.R1=val,TblNam.1.C2.R1=val,…,TblNam.1.Cm.R1=valTblNam.1.C1.R2=val,TblNam.1.C2.R2=val,…,TblNam.1.Cm.R2=val…TblNam.1.C1.Rn=val,TblNam.1.C2.Rn=val,…,TblNam.1.Cm.Rn=val
versus (explicit) or (implicit)
TblNam.0={ TblNam.0={ {1={1=val, 2=val, ..., m=val}}, {1={val, val, …, val}}, {2={1=val, 2=val, ..., m=val}}, {2={val, val, …, val}}, …, …, {n={1=val, 2=val, ..., m=val}} {n={val, val, …, val}}} }
41 of 51
Advanced Protocol Operations (APO) Initiative• APO Level 2: Akin to the IETF’s suspended work on SMI-DS within
the SMI-NG WG– All of APO Level 1, plus …– Union, Struct, Array, Row, Table– Data-type maintenance, i.e., Integer64, Unsigned64– Nesting, e.g., something like this within a table
– IPAddress struct {AddressType INTEGER,union {IPv4Address OCTET STRING (SIZE(4)),IPv6Address OCTET STRING (SIZE(16))
}}
42 of 51
APO Benefits
• Suppression of redundant information yields network and processing efficiencies – 2x to 10x not unusual
• Think in the abstraction that is most natural– A row is a row, a table is a table
• Operations on meta-objects easier for some people to understand and code correctly– Somewhat easier on read operations– A lot easier on thorny configuration operations
• XML initiative builds on APO initiatives
43 of 51
XML-based Modeling and Transport of Management Information Initiative
XML-based Internet Management(XML SNMP)
44 of 51
XML Transport Mapping Initiative
• XML-Based Internet Management means different things to different people– XML-ification of proprietary CLI: a factor of 2
incremental improvement– XML-ification of standards-based management data:
an order-of-magnitude advancement– XML transport of entirely new and different data
model(s): an order of magnitude backwards– … many more …
• These are not mutually exclusive and can coexist
45 of 51
XML Initiative
• XML-Based Internet Management
• Lacking a catchy marketing name
• Stream over TCP connection
• ASCII rather than compact binary encodings
• Respond to market demand
• Need to be careful not to repeat history: – re-solving the solved problem – while not solving the unsolved problems and– creating new problems
• Avoid political wars
46 of 51
SNMPv3 over UDP through Firewalls
OV
SNMPv3 / UDPthrough firewalls
NMSe.g., NNM
with SNMPSecurity Pack
Sun
CIAgent
HP
CIAgent
XP
CIAgent
Linux
CIAgentInternet Device
with SNMP AgentInternet Device
with SNMP Agent
47 of 51
Management Traffic in XML tunnel through Firewalls
ManagementInformationin XML over
SSL over TCPthrough firewalls
DistributedSNMP
SecurityPack
SNMPv1/v2/v3over UDP locally
DistributedSNMP
SecurityPack
OV
XP
CIAgent
NMS e.g., NNMwith
DistributedSNMP
Security Pack
Sun
CIAgent
Linux
CIAgent
HP
CIAgentInternet Device
with SNMP AgentInternet Device
with SNMP Agent
48 of 51
NNM with SNMP Security Pack and XML
ConfigWizard
OtherSecured
Applications
OtherApplications
SNMPv2 SNMPv3 XMLSNMPv3 ESOSNMPv1
Security Layer
Applications
NNM
LCD
RemoteAdmin
Network Layer
49 of 51
Multiprotocol Agent Architecture with XML
50 of 51
Summary
• SNMP Security Pack is a pragmatic solution for adding secure SNMPv3 capability to NNM– After security credentials have been configured, operation
using Security Pack is transparent to NNM functions– Includes “SNMPv3 Configuration Wizard” application for
configuration of agents– Supported on HP-UX, Solaris, and Windows
• Additional work underway– Security enhancements: ESO initiative– Protocol enhancements: APO initiative– Transport enhancements: XML initiative– Ease-of-use enhancements: MIBGuide initiative
51 of 51
For More Information
• Exhibit Area
• Session 325: Wednesday, June 21, 8:30-9:30– Standards-based Secure Management of Networks, Systems, Applications and
Services using SNMPv3 and HP OpenView
• ESO: http://www.snmp.com/protocol/eso.html
• APO: http://www.snmp.com/protocol/apo.html
• XML: http://www.snmp.com/protocol/xml.html
Dr. Jeff Case3001 Kimberlin Heights RoadKnoxville, TN 37920USA+1 865 573 [email protected]